Downadup/Conficker worm? Or what?

Trying to resolve a problem with my 76-year-old mother’s antique Windows Vista machine. I’m attempting to do this via Teamviewer remote control, since I’m 700 miles away from her (and she’s relatively helpless as far as computers go). This problem cropped up almost immediately after she re-registered her free version of Avast and it subsequently updated to Avast 2016.

Here are the symptoms:
Can’t connect to Avast for any kind of updates (engine, virus or program).
Avast SecureLine: Disconnected.
Can’t download anything from the Avast website - or any other antivirus website. Most other non-antivirus websites still seem to load just fine (Yahoo, Google, Facebook, etc.).
Can’t open/save email attachments (although she can still send/receive email via her Windows Mail).

These symptoms led me to believe it might possibly be the Downadup/Conficker worm. So I’ve tried various supposed ‘fixes’ for that particular infection, including:
Avast full scan (showed no infections)
Microsoft Windows Malicious Software Removal Tool (showed clean computer with no malicious software)
Sophos Virus Removal Tool (clean, nothing to remove)
F-Downadup.exe
EConfickerRemover (nothing found)

I’ve also read that this sort of problem could be fixed by clearing the DNS cache. Tried that to no avail.

I’d be ever so grateful if someone had other suggestions I could try. Thanks in advance.

follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in … Attachments and other options

since it is christmas there may be some waiting time, have not seen Malware removal team online today

Thanks. I’ll get to work on it. And I totally understand about any xmas delays.

Oh, by the way, I forgot to mention that I DID run Malwarebytes Anti-Malware and it didn’t find anything, either. Also, whatever is blocking the computer would not allow Malwarebytes to update the database. So I just ran a scan using the existing database and it drew a blank. But I’ll run it again…

Oh, by the way, I forgot to mention that I DID run Malwarebytes Anti-Malware and it didn't find anything, either
If Malwarebytes don detect anything, you can dropp that log

The two diagnostic logs from FRST are the important ones. They are the ones used for creating a fix

Thanks. Working on it…

FRST and Addition logs attached.

Hello,

I’ll be working with you.

https://sites.google.com/site/cannedfixes/combofix/51a5bf3d99e8a-ComboFixlogo16.png
Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/combofix/51a5bf3d99e8a-ComboFixlogo16.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Accept the disclaimer and agree if prompted to install Recovery Console.
[*]Do not take any actions while ComboFix goes through your System - it may cause it to stall!
[]This scan may take some time!
[
]When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.

http://forum.programosy.pl/images/smilies/icon_idea.gif
If you’ll encounter any issues with internet connection after running ComboFix, please visit this link.

http://forum.programosy.pl/images/smilies/icon_idea.gif
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

OK, will do. Thanks.

Just for the record, here is the Malwarebytes log (below). Next, I’ll do aswMBR.exe . And finally (for now), I’ll scan with ComboFix.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/24/2015
Scan Time: 5:35:24 AM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.18.03
Rootkit Database: v2015.12.18.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Monalynn

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 298516
Time Elapsed: 29 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

aswMBR log:

aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2015-12-24 06:59:06

06:59:06.426 OS Version: Windows 6.0.6002 Service Pack 2
06:59:06.426 Number of processors: 2 586 0x209
06:59:06.429 ComputerName: MONALYNN-PC UserName: Monalynn
06:59:10.669 Initialize success
06:59:10.693 VM: initialized successfully
06:59:10.698 VM: Intel CPU virtualization not supported
06:59:16.269 AVAST engine defs: 15122102
06:59:49.138 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
06:59:49.167 Disk 0 Vendor: WDC_WD1200BB-22DWA0 15.05R15 Size: 114473MB BusType: 3
06:59:49.347 Disk 0 MBR read successfully
06:59:49.370 Disk 0 MBR scan
06:59:49.415 Disk 0 Windows VISTA default MBR code
06:59:49.446 Disk 0 Partition 1 00 12 Compaq diag NTFS 5130 MB offset 63
06:59:49.577 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15366 MB offset 10506510
06:59:49.604 Disk 0 Partition - 00 0F Extended LBA 93973 MB offset 41977845
06:59:49.654 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 93973 MB offset 41977908
06:59:49.712 Disk 0 scanning sectors +234436545
06:59:50.000 Disk 0 scanning D:\Windows\system32\drivers
07:00:07.330 Service scanning
07:00:57.814 Modules scanning
07:00:57.851 Disk 0 trace - called modules:
07:00:57.899 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
07:00:57.950 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85ceb3c0]
07:00:58.011 3 CLASSPNP.SYS[891b48b3] → nt!IofCallDriver → [0x85638520]
07:00:58.053 5 acpi.sys[88a566bc] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x84c827d8]
07:00:58.784 AVAST engine scan D:\Windows
07:01:01.059 AVAST engine scan D:\Windows\system32
07:05:32.790 AVAST engine scan D:\Windows\system32\drivers
07:05:57.860 AVAST engine scan D:\Users\Monalynn
07:16:15.336 AVAST engine scan D:\ProgramData
07:19:19.736 Disk 0 statistics 2464292/0/0 @ 1.41 MB/s
07:19:19.738 Scan finished successfully
07:20:15.227 Disk 0 MBR has been saved successfully to “D:\Users\Monalynn\Downloads\MBR.dat”
07:20:15.281 The log file has been saved successfully to “D:\Users\Monalynn\Downloads\aswMBR.txt”

attach logs, not copy and paste … see my first post
you dont have to redo the ones posted :wink:

I did that (attach) with the big logs, but I didn’t think it was verboten with the smaller ones. Sorry!

was verboten
No it is not verboten ;D just for ease

this forum dont like long logs as they wont go in one post, copy and paste of frst logs may be 20 posts :o

Can you focus only on getting ComboFix report?

Yep, that’s what I have been focusing on. Just takes a little while via remote control. Combofix log attached.

This computer isn’t infected.

I didn’t think so. But what else could be stopping it from connecting to and/or downloading from ONLY antivirus sites (other websites no problem)? Or disabling saving of email attachments. Why can’t it connect to or get updates from Avast? Any ideas?

I need you to download Complete Internet Repair:

http://www.majorgeeks.com/mg/getmirror/complete_internet_repair,1.html

Extract it and run ComIntRep.exe.

Check all boxes and click GO. Let me know when it is done. Restart your PC after completion.

Done. No change. Still cannot connect to Avast SecureLine. Still cannot connect to any Avast updates. Still cannot connect to or download from any other antivirus-type websites (either).

Still have no problem connecting to non-antivirus websites (Yahoo, Google, Facebook, etc.). Still have no problem sending/receiving email with Windows Mail (although attachments still cannot be saved).

Firewall? Sandbox? If not a virus, what could be blocking JUST those websites??? And why would this problem pop up seemingly out of the blue, with no changes to the computer - EXCEPT (coincidentally, right after) registering/updating Avast?

Is there some setting on Avast 2016 that might cause this?

I would like you to temporarily uninstall Avast.

You can also use this uninstall tool to get rid of all avast components that are left after uninstall process:

https://www.avast.com/uninstall-utility